From owner-freebsd-questions@FreeBSD.ORG Wed Jul 26 03:44:43 2006 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A7C7C16A500 for ; Wed, 26 Jul 2006 03:44:43 +0000 (UTC) (envelope-from dwc@stilyagin.com) Received: from puffy.asicommunications.com (puffy.asicommunications.com [216.9.200.37]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5444F43D46 for ; Wed, 26 Jul 2006 03:44:43 +0000 (GMT) (envelope-from dwc@stilyagin.com) Received: from jeeves.stilyagin.local (71-35-27-140.phnx.qwest.net [71.35.27.140]) by puffy.asicommunications.com (8.13.4/8.13.3) with ESMTP id k6Q3icYw002133 (version=TLSv1/SSLv3 cipher=DHE-DSS-AES256-SHA bits=256 verify=NO); Tue, 25 Jul 2006 20:44:39 -0700 (MST) Received: (from dwc@localhost) by jeeves.stilyagin.local (8.13.4/8.13.4/Submit) id k6Q3iWnb028228; Tue, 25 Jul 2006 20:44:32 -0700 (MST) Date: Tue, 25 Jul 2006 20:44:32 -0700 From: Darrin Chandler To: Jonathan Horne Message-ID: <20060726034432.GA7790@jeeves.stilyagin.local> References: <200607252030.46540.freebsd@dfwlp.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200607252030.46540.freebsd@dfwlp.com> User-Agent: Mutt/1.4.2i Cc: freebsd-questions@freebsd.org Subject: Re: pf firewall for a server X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 26 Jul 2006 03:44:43 -0000 On Tue, Jul 25, 2006 at 08:30:46PM -0500, Jonathan Horne wrote: > ive been googling for a while now this evening, but have unsuccesfully found > any examples on how to firewall a server. i do *not* want to build a router, > and unfortunatly, every article i seem to find wants to tell me how to build > a router! > > i just want to learn how to build a simple pf config suitable for a server. > if anyone knows of a website where such an example might be found, that would > be awesome (but direct config examples in a reply will also be duely > appreicated as well :) Most of the rulesets for router/gateway firewalls with give you lots of good info for a single server, too. Understanding how the rules work is the name of the game either way. The handbood is a great place to start, and the pf faq on the OpenBSD site is another. Here's a very simple but functional pf.conf to get you going: ----- if1 = "ne0" # Our Interface allowed_svc = "{ ssh www }" # Services to let in set skip on lo scrub in block in pass out keep state antispoof quick for lo pass in log on $if1 inet proto icmp to ($if1) keep state # Optional pass in log on $if1 inet proto tcp to ($if1) port $allowed_svc \ keep state ----- That is something you can start with. BUT, you need to understand what the rules do! Do read the handbook, faq, and man pages. See if you can find anything wrong with the above ruleset. -- Darrin Chandler | Phoenix BSD Users Group dwchandler@stilyagin.com | http://bsd.phoenix.az.us/ http://www.stilyagin.com/ |